部署環境
操作系統
服務器操作系統版本:CentOS release 6.5 (Final) 2.6.32-431.el6.x86_64
軟件
軟件版本:splunk-6.4.0
tar:
splunk-6.4.0-f2c836328108-Linux-x86_64.tgz
splunkforwarder-6.4.0-f2c836328108-Linux-x86_64.tgz
rpm: splunk-6.4.0-f2c836328108-linux-2.6-x86_64.rpm
splunkforwarder-6.4.0-f2c836328108-linux-2.6-x86_64.rpm
IP地址
splunk服務器Ip地址:192.168.0.156
splunkforwarder服務器地址:192.168.0.140
splunk安裝
tar安裝
splunk
splunkforwarder
tar xzfv /usr/src/splunkforwarder-6.4.0-f2c836328108-Linux-x86_64.tgz -C /usr/local/
echo “export PATH=/usr/local/splunkforwarder/bin:$PATH” >> /etc/profile
source /etc/profile
rpm安裝
splunk
splunkforwarder
rpm -ivh /usr/src/splunkforwarder-6.4.0-f2c836328108-linux-2.6-x86_64.rpm
echo “export PATH=/opt/splunkforwarder/bin:$PATH” >> /etc/profile
source /etc/profile
啟動關閉
啟動:splunk start
關閉:splunk stop
重啟:splunk restart
設置開機啟動
splunk enable boot-start
更改web端口及管理端口
l splunk set splunkd-port 9998
l splunk set web-port 80
配置
基本配置文件
splunk
$SPLUNK_HOME/etc/system/local/inputs.conf
$SPLUNK_HOME/etc/system/local/server.conf
$SPLUNK_HOME/etc/system/local/web
splunkforward
$SPLUNK_HOME/etc/system/local/inputs.conf
$SPLUNK_HOME/etc/system/local/outputs.conf
$SPLUNK_HOME/etc/system/local/server.conf
splunk
inputs.conf
[default]
host = 192.168.0.156
index = _internal
[splunktcp:///9997]
server.conf
[general]
serverName = 192.168.0.156
sessionTimeout = 1h
web
[settings]
startwebserver = 1
httpport = 80
mgmtHostPort = 127.0.0.1:8089
splunkforwarder
inputs.conf
[default]
index = _internal
host = 192.168.0.140
[monitor:///var/log/maillog]
[monitor:///usr/local/tomcat-7.0.67/logs/catalina.out]
[monitor:///usr/local/jboss-5.1.0.GA/server/default/log/server.log]
sourcetype = log4j
outputs.conf
[tcpout]
defaultGroup=my_server
[tcpout:my_server]
server=192.168.0.156:9997
[tcpout-server://192.168.0.156:9997]
server.conf
[general]
serverName = 192.168.0.140
sessionTimeout = 1h
破解
破解splunk導入數據500M限制
cd $ SPLUNK_HOME
vim lib/python2.7/site-packages/splunk/appserver/mrsparkle/controllers/licensing.py
if action == 'add' and not pool_object.quota_bytes['byte_value']:
quota_value = max(0, int(unallocated_bytes / 2**20))
quota_value = quota_value * 1024 * 1024
else:
quota_value = (pool_object.quota_bytes['byte_value'] or 0) / 2**20
quota_value = quota_value * 1024 * 1024
#quota_units = 'MB'
quota_units = 'TB'
mv lib/python2.7/site-packages/splunk/appserver/mrsparkle/controllers/licensing.pyo /root
splunk restart
更改許可證
改為:Free許可證組
Web方式(使用瀏覽器訪問http://plunk_server_ip:8000)
設置》授權》更改許可證組
選 Free 許可證
重啟splunk
如下轉載
數據源配置
主機日志
使用Syslog服務
Linux主機/防火牆/交換機
Linux/vpn網關/防火牆/交換機等支持udp/tcp日志傳輸的設備就直接使用udp/tcp傳輸的方式把日志傳到splunk服務器
操作步驟:
splunk監聽端口
在splunk上啟用接受日志的監聽端口
tcp: 514端口
udp:514端口
web方式:
添加數據>>syslog>>UDP>>新增
填514端口
如果使用tcp,操作同udp方式
Linux/vpn網關/防火牆/交換機等配置發送日志到splunk服務器
以Linux為示例:
配置Linux中的rsyslog服務
# vim /etc/rsyslog.conf
*.* @192.168.3.70:514 #udp模式
重啟rsyslog
# service rsyslog restart
應用日志
依賴splunk universal forwarder
WebLogic和oracle日志